Summary: selinux-virt policy needs to create/update virtual_domain_context, virtual_image_context
Product: Gentoo Linux Reporter: Chris Richards <gizmo>
Component: HardenedAssignee: Sven Vermeulen (RETIRED) <swift>
Severity: normal CC: pebenito, selinux
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
Package list:
Runtime testing required: ---
Description Chris Richards 2010-08-01 21:53:25 UTC
When selinux-virt is emerged, the policy does not create/update virtual_domain_context, virtual_image_context files in /etc/selinux/{strict,targeted}/contexts.  libvirt uses these files to tell it what context to switch to for performing virtualization functions.

Reproducible: Always

Steps to Reproduce:
1.emerge selinux-virt
2.emerge kvm
3.Attempt to do something requiring libvirt (such as run kvm)
Actual Results:  
Observe error "error : SELinuxInitialize:115 : cannot open SELinux virtual domain context file '/etc/selinux/strict/contexts/virtual_comain_context': No such file or directory".  Verify that the file does not actually exist.

Expected Results:  
No error, and the files exist in the appropriate location.

These files are not created by the SELinux build process, but rather are system dependent.  However, it appears that they can be modeled after the ones used by RHEL/Fedora (indeed, testing was performed using files from a Fedora system).
Comment 1 Chris Richards 2010-08-01 22:01:20 UTC
I'm apparently on drugs: there is no selinux-virt ebuild.
Comment 2 iGentoo 2011-10-18 13:09:50 UTC
without /etc/selinux/*/contexts/{virtual_domain_context,virtual_image_context}:
libvirtd                                                      [  crashed  ]

with /etc/selinux/*/contexts/{virtual_domain_context,virtual_image_context}:
libvirtd                                                      [  started  ]

Comment 3 iGentoo 2011-10-18 13:22:37 UTC
an example of {virtual_domain_context,virtual_image_context}

Comment 4 iGentoo 2011-10-18 13:23:12 UTC
Comment 5 iGentoo 2011-10-18 13:38:46 UTC
21:05:02.699: 6060: info : libvirt version: 0.9.6
21:05:02.699: 6060: error : SELinuxInitialize:120 : cannot open SELinux virtual domain context file '/etc/selinux/mls/contexts/virtual_domain_context':     No such file or directory
Comment 6 Sven Vermeulen (RETIRED) gentoo-dev 2011-10-18 17:54:58 UTC
I never got libvirt working properly, but at least this will keep me focused that it needs to be fixed ;p
Comment 7 Sven Vermeulen (RETIRED) gentoo-dev 2011-12-27 19:16:44 UTC
In hardened-dev overlay
Comment 8 Sven Vermeulen (RETIRED) gentoo-dev 2012-01-14 20:00:59 UTC
Pushed to main tree, ~arch
Comment 9 Sven Vermeulen (RETIRED) gentoo-dev 2012-02-26 10:03:25 UTC